In Illinois, the Biometric Information Privacy Act (“BIPA”) regulates the collection and use of “biometric information” such as fingerprints, facial images, and voice records.  It imposes significant penalties and has generated a cottage industry of class action litigation—hundreds of cases have been filed and millions of dollars in liability have been assessed.  It is also the most well known and heavily litigated of a slew of newly enacted, or soon to be passed, state and local laws aimed to regulate biometric information.

Many Illinois defendants had hoped that their liability under BIPA could be limited because, they argued, a one-year statute of limitations should apply to BIPA claims.  But, in a recently issued decision, Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, the Illinois Court of Appeals rejected this position for a majority of BIPA claims.  It held that a five-year statute of limitations applies to the most frequently cited sections of the statute.

BIPA Overview

BIPA imposes numerous restrictions on how private entities collect, retain, disclose, and destroy biometric identifiers, including retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, or biometric information.  Specifically, Section 15 of the Act contains five subsections:

  • Section (a) requires that “[a] private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public,” for a retention schedule and guidelines for permanently destroying biometric information.
  • Section (b) provides that a private entity may obtain biometric information only if it first informs the subject that biometric information is being collected and obtains a written release from that person.
  • Section (c) provides that no entity may “sell, lease, trade, or otherwise profit” from a person’s biometric information.
  • Section (d) restricts disclosure of biometric information without the subject’s consent.
  • Section (e) requires a high standard of care in storing, transmitting, and protecting biometric information.

Under BIPA, any person “aggrieved” by a violation of any of its provisions “shall have a right of action . . . against an offending party” and “may recover for each violation” the greater of liquidated damages or actual damages and reasonable attorney fees and costs.  740 Ill. Comp. Stat. Ann. 14/20.  The language of BIPA includes no specific statute of limitations.

Case Summary

Tims contains facts common to many BIPA actions.  There, plaintiffs alleged that their employer scanned the fingerprints of its employees and used such scanning in its timekeeping system.  Plaintiffs also alleged that their employer did not inform its employees of the purpose of this scanning, did not receive a release from plaintiffs prior to obtaining fingerprints or disseminating the information to third parties, or did not provide a retention schedule for destroying fingerprints.  They then filed claims under Section 15(a) of BIPA for failing to maintain a written policy regarding retention of biometric information, Section 15(b) for failing to inform employees that biometric information was being stored and to obtain a written release from employees, and Section 15(d) for failing to obtain consent from employees before sharing biometric information.

Defendants filed a motion to dismiss the claims based on the running of the statute of limitations.  They claimed that a one-year statute of limitations in Section 13-201—which governs certain Illinois claims related to the right of privacy—should apply to all claims under BIPA, because any BIPA claim concerns privacy.  Plaintiffs argued that a general five-year statute of limitations that applies to civil claims in Illinois should apply.

The court reviewed the language of Section 13-201 and its requirement that a claim involve “publication” of matter concerning privacy.  It noted that Illinois courts had recognized two types of privacy interests: secrecy (the right to keep things confidential) and seclusion (the right to be left alone).  It then observed that the one-year statute of limitations applied only to secrecy claims, not to seclusion claims.  It concluded that “Section 13-501 does not encompass all privacy actions but only those where publication is an element or inherent part of the action.”

The court then applied this reasoning to BIPA claims.  It noted that of the five claims enumerated in Section 15 of BIPA, three such claims have “absolutely no element of publication.”  Any claim for failing to maintain a written policy regarding retention of biometric information (Section 15(a)), collecting or obtaining biometric data without written consent (Section 15(b)), or not taking reasonable care in storing, transmitting, and protecting biometric data (Section 15(e)) did not involve publication.  The one-year statute of limitations in Section 13-501 could not apply to such claims.  In contrast, two sections of BIPA, Sections 15(c) and (d), concerned dissemination of biometric data and sale of biometric data.  Any action under these sections, the court concluded, is an action for publication.  The one-year statute of limitations of Section 13-501 applies to such categories of claims.

What You Should Know

The Illinois Court of Appeals holding in Tims will almost certainly be appealed to the Illinois Supreme Court, but, for now, the decision signals that a potential defense to many BIPA claims is only partially effective.  Because most BIPA class actions include claims under Section 15(a), Section 15(b), or Section 15(e), the statute of limitations for most BIPA actions will remain at five years and the size of the class and extent of liability will not be significantly reduced.

Any company that has used or is considering the use of biometric technology should carefully review its policies and discuss its options with an attorney.